Fortifying Application Security for a B2B Data Provider Using the SSDLC Approach

Client Background

The client is a renowned B2B data provider recognized by Forrester as a leader in delivering crucial insights and marketing solutions. Their offerings include high-quality data that enables thousands of business make data-inspired decisions. The client’s data technology can seamlessly integrate into existing workflows, enabling new opportunities, and incorporating complementary components, applications, and services.

The Challenge

The client required comprehensive security testing for 40 applications compromising inhouse and customer applications, via Static Application Security Testing, Dynamic Application Security Testing, and Threat Modelling. Static Application Security Testing (SAST) helps uncover flaws in the source code, configuration files, and other components without executing the application. In addition to SAST, the client needed Dynamic Application Security Testing (DAST) to assess the security of their applications during runtime and detect vulnerabilities that may not be apparent in the source code.

The client also sought to develop threat models using Microsoft Threat Modelling Tool. The challenge was to gain a comprehensive understanding of the security requirements of all systems, including the server environment in order to uncover and mitigate security vulnerabilities across the application.

Xoriant Solution | Key Contributions

Xoriant was approached for our extensive capabilities in application security and testing. The Xoriant team started with an automated review of the coding standards for the applications, incorporating language-specific checks. They identified methods, functions, and controls in the code that didn't align with the Secure Coding Practices baseline. The team further analyzed the results from a thorough black box and security testing and provided observations and recommendations for the identified vulnerabilities. This ensured that the client had a clear understanding of the potential risks and actionable steps to mitigate them.

The Xoriant team also conducted application security testing based on the OWASP top 10 standard. Further, they reviewed the results from the testing tool, meticulously identifying and eliminating any "false positive" vulnerabilities in the applications. The team then outlined specific remediation actions to eliminate or reduce the risks associated with the identified vulnerabilities. This guidance was provided for various application types, including web apps, APIs, and cloud-based in-house built applications.

Business Benefits

The implementation of Xoriant's solution yielded several significant business benefits for the client:

Secure Codebase and Design: Xoriant's expertise ensured a secure codebase and design for the applications at all stages of development. Using Xoriant’s risk assessment framework, we enhanced the overall security posture and reduced the potential for security breaches.

Regulatory Compliance: The client's applications met regulated compliance requirements, ensuring adherence to industry standards and mitigating the risk of non-compliance penalties that can add up to hundreds of thousands of dollars every year.

Reduction in "False Positive" Vulnerabilities: Through manual analysis, Xoriant effectively reduced the number of false positive vulnerabilities, enabling the client to focus on addressing genuine security concerns efficiently.

Adoption of Best Practices: By implementing the STRIDE methodology for Threat Modelling and utilizing the DREAD score for Dynamic Application Security Testing (DAST), the client incorporated industry best practices, strengthening their security approach.

Overall, Xoriant's solution provided the client with a robust and comprehensive security assessment, enabling them to identify and address vulnerabilities, enhance their security posture, and meet regulatory requirements efficiently.